rfd/0111-support-connection-testers-with-per-session-mfa.md
Add a MFAAuthenticateResponse field to GenerateUserCerts request.
As mentioned in the related issue, when a role or config has enabled the require_session_mfa field, users were not able to proceed testing connections to their newly added resource in the web UI, because we didn't implement a way for users to provide and authenticate their MFA device.
The Test Connection feature requires establishing a brief session with the target resource which requires generating a short lived user certificate. If the require_mfa_session is enabled, the certs mfaVerified field must be set.
Upon testing, the mfaVerified field could potentially be set to any string value (and still be qualified as verified), so it's important how we set this field. By accepting a MFAAuthenticateResponse, the GenerateUserCerts request will be responsible for validating the response (if provided), and upon success will capture the verified MFA device ID which will be used to set the mfaVerified field. If validation failed, the request will return an authentication error.
In the web UI, when a user clicks on the test connection button, we will make a call to this existing endpoint IsMFARequired that checks whether MFA is required to access the specified resource.
Then depending on the response: